CVE-2009-1275

Apache Tiles 2.1-2.1.1 - Cross-Site Scripting via tiles:putAttribute and tiles:insertTemplate JSP Tags

Title source: llm
STIX 2.1

Description

Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_confirm
https://issues.apache.org/struts/browse/TILES-351
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34657

Scores

EPSS 0.0281
EPSS Percentile 84.9%

Details

Status published
Products (3)
apache/tiles 2.1.0
apache/tiles 2.1.1
org.apache.tiles/tiles-core 2.1 - 2.1.2Maven
Published Apr 09, 2009
Tracked Since Feb 18, 2026